Latest Oracle E-Business Suite vulnerability: CVE-2025-61882 #
Oracle has disclosed a vulnerability in certain versions of its E-Business Suite contained within the Concurrent Processing product (BI Publisher Integration component) that, when exploited in sequence, may allow a remote, unauthenticated adversary to achieve arbitrary remote code execution (RCE). This vulnerability has been designated CVE-2025-61882 and has been rated critical with a CVSS score of 9.8. There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected
- Oracle E-Business Suite versions 12.2.3 through 12.2.14
What is Oracle E-Business Suite? #
Oracle E-Business Suite (EBS) is a comprehensive suite of integrated applications that helps organizations manage and automate their core business operations, from finance and human resources to supply chain and customer relationships.
What is the impact? #
Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary commands on the vulnerable host, potentially leading to complete system compromise.
Are updates or workarounds available? #
Users are encouraged to upgrade affected versions of Oracle E-Business Suite to the latest patched version as quickly as possible. There is a note in the advisory stating that the October 2023 Critical Patch Update is a prerequisite for the updates.
How to find potentially vulnerable systems with runZero #
From the Service inventory, use the following query to locate potentially vulnerable assets:
_asset.protocol:http AND protocol:http AND html.title:="E-Business Suite Home Page Redirect"